Wi-Fi snooping tool drills gaping holes in security

The online world is abuzz with the news of an Internet browser tool that lets even the most technologically inept snoop on their neighbours over Wi-Fi networks.

But the real story is that it has taken this Wi-Fi snooping-for-dummies tool to draw attention to gaping security holes that can leave your online interactions about as private as a postcard.

And in what is beginning to look like a grassroots campaign, the release of the snooping tool that works with the Firefox browser has since been joined by another aimed at warning Twitter users that their insecure surfing leaves their accounts open to hijacking.

Yet computer users are still blithely signing on to Facebook, Twitter and other social media sites while they sit in their local coffee shop, either not knowing or not caring that their latte-sipping neighbour may be hacking into their personal networks.

Kris Constable, director of the Victoria-based PrivaSecTech, which specializes in information security and privacy technology, said the release of the Firefox extension Firesheep is both good and bad in that it draws attention to security issues, but also people could be using it to become online snoops.

“There is nothing technically new with this,” he said. “The only thing this has done has made it prettier and more accessible. And the media attention has made it more known.”

Eric Butler, the Seattle freelance software developer who released the extension for Firefox, did so to highlight the security issues and put pressure on websites to use end-to-end encryption, which shows up in a web address as https.

In just over a day after its release, Firesheep was downloaded 129,000 times.

“The real story here is not the success of Firesheep, but the fact that something like that is even possible,” Butler wrote in his blog codebutler.

Having such downloads on your computer isn’t illegal, but using them could put you on the wrong side of the law, said Peter Roberts, a lawyer with Lawson Lundell LLP.

“Providing you have the right licences there is nothing wrong with buying a firearm,” he said. “It is what you do with it.”

It also depends on the nature of the information.

“If you are intercepting publicly available information on publicly available websites there is nothing wrong with that,” said Roberts. “It is when you start intercepting private information.”

Accessing and downloading someone’s private information could potentially be considered theft, a criminal offence, Roberts warned, and it could give rise to a civil claim of breaching privacy.

Victims may find it difficult to go after their online attackers.

“There are two problems, how do you figure out who they are and can they pay at the end of the day,” Roberts explained.

The victim of a Wi-Fi snoop could also be potentially liable for exposing information if he or she is using data that would be covered by the Freedom of Information and Protection of Privacy Act.

Firesheep focuses on the “cookies” that are used for authentication by websites while you are logged in for a session. For many websites, the information in those cookies isn’t encrypted. In the case of social networking sites like Facebook, that can allow an electronic eavesdropper to get into your social networking profile, post messages, change your password or otherwise create havoc.

Constable points out there is other easily obtainable software that can give electronic eavesdroppers access to every bit of unencrypted Internet data you are sending and receiving, not just your social networking activities.

“If you’re at a coffee shop now and running Wireshark [a network protocol analyzer] you can see every e-mail, every MSN conversation, anything that is not encrypted,” said Constable.

A network analyzer (also known as a packet sniffer) doesn’t have to be on your network to see what you’re doing.

“If I’m sniffing packets, all I’m doing is watching what is going over the air on my [computer] antenna,” said Constable. “I don’t need to connect to your network.”

1. Don’t use open Wi-Fi networks. If you must, when signing into Facebook, Twitter, your e-mail or other websites that require user authentication, make sure the Web address starts with https. Some sites, like your bank or gmail, automatically default to https. Others like Facebook and Twitter don’t, but you can choose that option.

2. To switch to a secure connection, you can go to the address bar and add an “s” to http; for example, if you do that with Facebook, you’ll find yourself at https://www.facebook.com. When you bookmark sites, make sure you bookmark the ones starting with https.

3. Use the Firefox plug-in Force-TLS to force sites to use https, a move that makes any data transferred between your computer and the website it is reaching unreadable to snoops. You can search for Force-TLS at https://addons.mozilla.org. There’s a similar one on Firefox called HTTPS Everywhere, still in beta. Once Force-TLS is added, you’ll get an option in the drop-down Tools menu to “ForceTLS Configuration.” You have to add in all the networks you want to sign into only with https. If the website doesn’t have the option of a secure connection, it won’t work.

4. When you’re signing into any networks that require authentication in a new wireless location — say you’ve gone out for coffee and taken your netbook along without signing out — make sure you have closed any online accounts before you log onto the network. Then sign in again, making sure it’s over a https connection.

5. Use your company VPN (Virtual Private Network) or set up your own VPN, although that is an option more complicated than the casual computer user would want to undertake.

Gillian Shaw, Vancouver Sun

Comments

We encourage all readers to share their views on our articles and blog posts. We are committed to maintaining a lively but civil forum for discussion, so we ask you to avoid personal attacks, and please keep your comments relevant and respectful. If you encounter a comment that is abusive, click the "X" in the upper right corner of the comment box to report spam or abuse. We are using Facebook commenting. Visit our FAQ page for more information.

A Radio-Canada reporter has been arrested for alleged criminal harassment while pursuing the subject of a story. According to Radio-Canada, reporter Antoine Trépanier was arrested Tuesday night by Gatineau police. He was released on a promise to appear in court. Trépanier was called by Gatineau police Tuesday evening and an officer requested that he come […]

Almost Done!

Postmedia wants to improve your reading experience as well as share the best deals and promotions from our advertisers with you. The information below will be used to optimize the content and make ads across the network more relevant to you. You can always change the information you share with us by editing your profile.

By clicking "Create Account", I hearby grant permission to Postmedia to use my account information to create my account.

I also accept and agree to be bound by Postmedia's Terms and Conditions with respect to my use of the Site and I have read and understand Postmedia's Privacy Statement. I consent to the collection, use, maintenance, and disclosure of my information in accordance with the Postmedia's Privacy Policy.

Postmedia wants to improve your reading experience as well as share the best deals and promotions from our advertisers with you. The information below will be used to optimize the content and make ads across the network more relevant to you. You can always change the information you share with us by editing your profile.

By clicking "Create Account", I hearby grant permission to Postmedia to use my account information to create my account.

I also accept and agree to be bound by Postmedia's Terms and Conditions with respect to my use of the Site and I have read and understand Postmedia's Privacy Statement. I consent to the collection, use, maintenance, and disclosure of my information in accordance with the Postmedia's Privacy Policy.